#NSBCS.070 - Pig Butchering Scams: More Than Just Fake Crypto Investments
Source: NSB Cyber
Pig Butchering Scams: More Than Just Fake Crypto Investments
ASIC is urging consumers to stay alert when using online investment platforms and apps, after successfully applying to wind up 95 companies linked to suspected pig butchering scams. The Federal Court approved ASIC’s application last month, noting that many of the companies had been registered using false information and may be tied to investment and romance-based fraud.
What is Pig Butchering?
Pig Butchering is a fast-growing type of online fraud where scammers build long-term trust with victims, often via dating apps, social media, or SMS, before luring them into fake investment platforms, typically involving cryptocurrency. The scam feels personal and convincing, with victims seeing fake profits on fraudulent platforms, encouraging further investment. When attempting to withdraw funds, victims face fake fees, and the scammer eventually vanishes. The deception often persists as scammers may re-target victims with "recovery scams," posing as authorities or experts offering to retrieve lost funds for additional fees, further exploiting their trust.
How Victims are Ordinarily Targeted:
Victims are asked to pay fake withdrawal fees. Tax or admin charges to "unlock" profits that don’t exist.
Scammers pose as lawyers or investigators offering to retrieve lost money, for a fee.
Scammers continue the emotional relationship, pretending to be in trouble and needing urgent money.
Personal documents and data shared during the scam are used for further fraud.
Victims may be tricked into installing apps or allowing remote access to further compromise their devices and accounts.
Victims are approached again with new investment pitches i.e. forex, NFTs, or AI trading scams.
Red Flags to Watch Out For:
Unsolicited contact that quickly turns personal and displays excessive emotional love bombing.
Communications shifting to encrypted platforms like WhatsApp.
Constant talks about financial opportunities.
Pushing crypto or investment platforms.
Pressure to act fast, invest more, or stay secretive.
Refusing to meet up in person or asking opportunity to be kept a secret from family/friends.
Requests for ID documents, personal or intimate photos or remote access to your device.
Pig butchering scams are sophisticated, emotionally manipulative, and financially devastating. And for many victims, the scam doesn’t stop at the first loss, it spirals into multiple layers of deception. The best defence is awareness. Talk about these scams, share what you know, and help others avoid being drawn into a trap where trust is the bait and financial ruin is the endgame.
Catch up on our past Signals blog posts here.
What we read this week
Hertz Customer Information Compromised in Breach - Hertz Corporation has disclosed a data breach impacting its Hertz, Thrifty, and Dollar brands, following exploitation of zero-day vulnerabilities in Cleo's managed file transfer platforms (Cleo Harmony, VLTrader, LexiCom). The unauthorised access occurred between October and December 2024, affecting customer details including names, contact information, dates of birth, credit card numbers, and driver’s licence data. A limited number also had sensitive records, such as Social Security numbers, passports, and Medicare/Medicaid IDs, compromised. Hertz has not publicly confirmed the total affected individuals but is offering two years of identity monitoring, advising vigilance for potential fraud.
ResolverRAT Targets Healthcare via Stealthy .NET Memory Injection Technique - A newly discovered Remote Access Trojan, ResolverRAT, is actively targeting healthcare and pharmaceutical organisations globally via phishing emails disguised as legal or copyright notices. Delivered through legitimate executables, it leverages reflective DLL loading and a sophisticated .NET 'ResourceResolve' hijacking technique to inject itself entirely within memory, bypassing standard security detection. ResolverRAT establishes persistence through XOR-obfuscated Windows Registry keys and filesystem entries, performs anti-analysis via sandbox fingerprinting, and exfiltrates data stealthily by breaking large files into discreet 16KB chunks to evade traffic analysis. Attacks currently observed include Italian, Czech, Hindi, Turkish, Portuguese, and Indonesian language variants.
China Admits Cyberattacks; Targets US Critical Infrastructure via EDR Gaps - Chinese government-linked APT groups, including Volt Typhoon and Salt Typhoon, have openly acknowledged cyberattacks on critical United States (US) infrastructure—particularly utilities and telecom networks—in retaliation for US support of Taiwan. Exploiting endpoint detection and response (EDR) visibility gaps, attackers are compromising devices traditionally overlooked, such as firewalls and edge equipment. Experts highlight the necessity for organisations to integrate network analysis, identity access management, threat hunting, and artificial intelligence to close detection gaps. Approximately 79% of US IT leaders identify China as their primary cyber threat, underscoring the urgent need for evolving cybersecurity beyond traditional EDR solutions.
Tycoon2FA Phishing Kit Boosts Evasion with Unicode and Custom CAPTCHAs - Operators of the Tycoon2FA Phishing-as-a-Service (PhaaS) have upgraded the kit to enhance its anti-detection capabilities. Notable updates include replacing third-party CAPTCHAs with a custom HTML5 canvas-based version, employing invisible Unicode in JavaScript obfuscation combined with Proxy objects to delay execution, and integrating anti-debugging scripts to block developer tools and detect automation. Suspected analysis triggers redirection to legitimate websites, prolonging phishing campaigns. Researchers recommend security teams leverage behaviour-based monitoring, browser sandboxing, and detailed JavaScript inspection techniques. Yara detection rules are also available to assist in identifying this updated threat.
Gladinet Critical Vulnerability Actively Exploited - Huntress researchers report active exploitation of a critical vulnerability (CVE-2025-30406, CVSS 9/10) in Gladinet CentreStack and Triofox software due to hard-coded cryptographic keys in default configurations. Attackers exploit these keys to bypass ASPX ViewState protections, executing malicious PowerShell commands as internet information service (IIS) application pool users, potentially escalating privileges to full system control. Huntress identified abnormal outbound connections and encoded PowerShell scripts downloading DLL payloads. Approximately 120 endpoints exhibited anomalous activity, with lateral movement via MeshCentral and Impacket scripts. Gradient has released effective patches, and CISA has included this flaw in its Known Exploited Vulnerabilities catalogue.
Referenceshttps://www.bleepingcomputer.com/news/security/hertz-confirms-customer-info-drivers-licenses-stolen-in-data-breach/
https://www.bleepingcomputer.com/news/security/new-resolverrat-malware-targets-pharma-and-healthcare-orgs-worldwide/
https://www.darkreading.com/threat-intelligence/chinese-apt-exploit-edr-visibility-gap-cyber-espionage
https://securityaffairs.com/176521/cyber-crime/tycoon2fa-phishing-kit-rolled-out-significant-updates.html
https://www.securityweek.com/huntress-documents-in-the-wild-exploitation-of-critical-gladinet-vulnerabilities/